#SRM tcpdump monitor
#exclude IP
excludeIp=' (src host not 172.28.34.94) and '

#include IP
#includeIp=' (src net 192.168 or src net 10) and '

#include http size >0 && GET/POST
includeHttp='(((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0) and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)'

#fileName use host
path=/data/tcpdumplog
filename=`hostname``date +%Y%m%d`.log
hostname=`hostname`

if [[ ! -d $path ]]; then
	mkdir -p $path
fi
cd $path
if [[ ! -f $filename ]]; then
	touch $filename 
fi

# kill if exists
pid=`ps -ef | grep tcpdump | grep 0x47455420 | grep -v "grep" | awk '{print $2}'`
if [[ $pid ]]; then
	echo "start kill pid: $pid..."
	kill -9 $pid
fi

tcpdump -tttt -A -l -Q in -c 500000 -ni any "$excludeIp $includeIp $includeHttp" | egrep -i "> |HTTP/|^Host:|X-Real-IP:" | awk '{print $1,$2,$3,$4,$5,$6}' | awk '{if(!match($1, /^([0-9][0-9][0-9][0-9](-)[0-9][0-9](-)[0-9]+)/)){T=T" "$0;next}else{print T;T=$0;}}' | awk '/^([0-9][0-9][0-9][0-9](-)[0-9][0-9](-)[0-9]+)/{print}' > ${path}/${filename}
